Re: json-stream-read should validate json too Amirouche Boubekki 23 Jan 2020 19:24 UTC

> For small json structures, speed does not really
> matter because it won't take long either way (unless you have to
> process zillions of small json structures).

When one does receive json from untrusted source, it must validate it
*and* apply some limits to not open the door to DOS attacks via an OOM
kill or interperter crash or something.

They are tiny crafted xml files that can lead to OOM:
https://en.wikipedia.org/wiki/Billion_laughs_attack